IANAL but if this is actually true then they're violating California law.
I submitted a CCPA request to them to give me and delete everything they had on me.
Their response is that they own no data, and I have to make the request to their customer, whomever that may be.
If they're retaining any identifying data about me and then selling it to new customers, they are explicitly violating CCPA.
IANAL, but making some assumptions to fill in gaps, it seems they are avoiding having to comply with CCPA and other privacy laws like this: they harvest camera data and retain the images probably forever, but only turn it into identifying data on demand for customers. So you really do have to go talk to the customer, because Flock never "has" any identifying data about anyone, they just have anonymous images that when mixed with a model happen to produce identifying data.
This allows them to promise that they don't keep any data and have strict retention policies etc. to jurisdictions that are on the fence or where the contract-purchasers are constrained by law in some way, but they can transfer identifying information at any point in the future to any customer, by mixing raw data and a model.
That’s nice you got a response from them. I did not.